XBash Malware Security Advisory

XBash Malware Security Advisory

October 18, 2018 | Adeline Zhang

On September 17, 2018, Unit42 researchers published an analysis of a new malware family XBash on its official blog. According to them, XBash was developed by the Iron Group, a cybercrime organization that has been active since 2016. The malware was named XBash based on the name of the malicious code’s original main module. XBash combines functions of ransomware, coinminers, botnets, and worms to target Linux and Microsoft Windows servers.

An XBash attack consists of multiple stages: self-propagation (exploit), download of target addresses to be scanned, upload of information about target vulnerabilities, download of weak passwords of the targets, and brute-force attack of the targets. The malware is capable of self-propagating and fast spreading. Similar to WannaCry and Petya/NotPetya, it seeks targets by scanning TCP or UDP ports and exploits known vulnerabilities to compromise servers, causing a permanent damage to data.

According to NSFOCUS Threat Intelligence center (NTI), the IP address (104.24.106.22) of the command and control (C&C) server currently used by the malware is located in the USA. It is found that the wallet address provided in ransom messages has garnered 1.09 BTC. Considering the average ransom of 0.02 BTC in an individual event, at least 54 victims have paid the demanded ransom.

Propagation and Impact

Developed using Python, XBash was then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution. Therefore, it is truly cross-platform and can run on macOS, Linux, and Windows platforms, with Windows and Linux servers as the main targets. In addition, the malware can not only attack public IP addresses but also probe intranets. This expansion of the scope of activities beyond the public Internet enables it to exert an extensive impact.

Initially, the malware used a weak password dictionary to crack passwords. Later, it included exploitation of three known vulnerabilities in Yarn, Redis, and ActiveMQ for self-propagation or infection of target servers.

Up to now, it is confirmed that the malware has scanned such web services as VNC, Rsync, MySQL, MariaDB, Memcached, PostgreSQL, MongoDB, phpMyAdmin, Telnet, FTP, and Redis, and has targeted three known vulnerabilities:

Hadoop YARN Resource Manager unauthenticated command execution, which was first disclosed in October 2016, with no CVE ID assigned

Redis arbitrary file write and remote command execution, which was first disclosed in October 2015, with no CVE ID assigned

ActiveMQ arbitrary file write, which was assigned CVE-2016-3088

When the exploit succeeds, XBash will either directly execute a shell command to download and to execute malicious shell or Python scripts, or create a new cron job to do the same. The main functions of malicious scripts are to kill other coinminers, download coinminers developed by the Iron cybercrime group, and download Xbash itself onto the target system for further propagation.

Monitoring and Protection

To defend against XBash, NSFOCUS has updated rule packages for some of its security products. Users are advised to load these packages as soon as possible to ensure that these security products can effectively detect and protect against this malware. The following table lists rule base versions of NSFOCUS security products.

Protection Product

Upgrade Package/Rule Base Version

NSFOCUS NIPS/NIDS

5.6.7.739, 5.6.8.739, 5.6.9.18693, and 5.6.10.18693

NSFOCUS NF

5.6.7.740 and 6.0.1.740

For the procedure of updating rule bases, see appendix B Product Use Guide.

NSFOCUS Threat Analysis Center (TAC) can detect attempts of XBash to infiltrate an intranet via web or email. Following is a screenshot of NSFOCUS TAC’s analysis of an XBash event.

Risk Avoidance

1 Security Tips

Use complex passwords for login accounts of the server operating system and various business information systems to avoid weak password attacks.

Patch or upgrade Hadoop, Redis, and ActiveMQ that run on Windows in time to avoid exploits.

Back up data from time to time to promptly restore business in case of data damage.

Install endpoint protection software to prevent endpoints from being compromised.

Deploy boundary protection devices for proactive monitoring and protection to block malware and intrusion events to the maximum extent possible.

2 Deployment of Security Products

To defend against XBash, NSFOCUS has updated rule packages for some of its security products. Users are advised to load these packages as soon as possible to ensure that these security products can effectively detect and protect against this malware. The following table lists rule base versions of NSFOCUS security products.

Protection Product

Upgrade Package/Rule Base Version

NSFOCUS NIPS

5.6.7.739, 5.6.8.739, 5.6.9.18693, and 5.6.10.18693

NSFOCUS NF

5.6.7.740 and 6.0.1.740

For the procedure of updating rule bases, see appendix B Product Use Guide.

Sample Analysis

This malware tries to plant itself into a system by leveraging weak passwords or unpatched vulnerabilities. If successful, it will attempt to use statements to clear various databases, including MySQL, PostgreSQL, and MongoDB, besides leaving a ransom message.

Major Functions

Weak Password Cracking

The program obtains a weak password dictionary and adds it to a list:

Following is a local user name dictionary:

Following is a local weak password dictionary:

Port Scan/Attack

The malware first performs a port scan against random IP addresses in a specified segment. Then, depending on which ports are opened, it conducts different malicious activities.

Target Port

Target Service

Malicious Behavior

80

phpMyAdmin

8080, 8888, 8000, 8001, 8088

phpMyAdmin

Detects and exploits vulnerabilities in Hadoop.

8161

Detects and exploits vulnerabilities in ActiveMQ.

873

Detects weak passwords for access to rsync and, when successful, returns records to the server.

5900, 5901, 5902

VNC

1433, 3306, 3307, 3308, 3309, 3360, 9806

MySQL/MariaDB

11211

Memcached

5432

PostgreSQL

27017

MongoDB

2379, 6379, 7379

Redis

Detects and exploits vulnerabilities in Redis.

9200

Elasticsearch

23, 2323

Telnet

161, 123, 389, 512, 513, 514, 1900, 3389, 5984

Scans ports.

Ransom

The malware displays a message, saying that the database has been backed up to the attacker’s server and the user has to pay 0.02 BTC as ransom for data recovery. However, the malware does not have the capability of backing up databases. Therefore, users will not get back their database files even if they pay the ransom.

Exploit

In the new version of XBash, we find payloads of some known vulnerabilities:

ActiveMQ arbitrary file write (CVE-2016-3088):

Hadoop YARN remote command execution:

Redis remote command execution:

Weak password cracking:

Coinmining Script Execution

When detecting the Redis service running on the Windows operating system, the malware exploits a vulnerability in Redis to call shell commands, in an attempt to download the JavaScript script via a remote server by using mshta/regsvr32 for deploying the malware or coinminer.

Following is the PowerShell script executed by the coinmining module under Windows:

Following is the JavaScript script executed by the coinmining module under Windows:

……

Disclaimer Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

http://www.nsfocusglobal.com.

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.